COVID-19 Vaccine Passports and Privacy Concerns

 Marcella Slay

Associate Editor

Loyola University School of Law, JD 2021

As businesses begin to reopen and resume operations after the pandemic, there are discussions surrounding possible vaccine passports and the concerns protecting individuals’ personal health information. COVID-19 vaccines are becoming more available within the country and more Americans feel safe to resume their normal lives. Many states and businesses are contemplating the idea of making vaccine passports a requirement for travel and large events. The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) was created to protect personal health information. As other countries are beginning to require proof of vaccination, many are contemplating whether vaccine passports are permitted by HIPAA or if the requirement will actually violate the federal health privacy law.

What are vaccine passports?

Various businesses are contemplating the idea of using vaccine passports to determine whether an individual has taken the COVID-19 vaccine before entering. A vaccine passport would likely operate like this: Individuals would download an app on their mobile device, create an account using biometric data such as a thumbprint or face recognition, upload COVID-19 test results and vaccination dates, and scan a QR code at travel checkpoints or event venues to verify vaccination status. For any countries that will require the vaccine passport in order to travel, the vaccination dates must fall at least fourteen days before travel. People around the world believe this could ensure safety by reducing the spread of the virus while individuals begin to travel more, both internationally and domestically. As we get closer to the summer months, larger events all over the country will take place and COVID-19 vaccine passports may become a requirement to attend.

Do vaccine passports violate HIPAA?

HIPAA is a federal statute that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services issued the HIPAA Privacy Rule to implement the various requirements of HIPAA. The Privacy Rule establishes standards regarding the use and disclosure of individuals’ health information (known as “protected health information”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” Covered entities include health plans, health care providers, and health care clearing houses.

With the announcement of new vaccine passport apps, many individuals and groups question if the various airlines and event venues are considered entities. Several attorneys have stated vaccine passports should not violate HIPAA laws. Because the individual inputs their own health information into the app and allows the business to scan the passport, they are impliedly consenting to disclosure. The apps used for vaccine passports are not created or maintained by health care providers and therefore the individuals are not providing protected health information for health care treatment, payment, or operations. Since the apps do not fit within the definition of information meant to be protected, there are no HIPAA violations.

Current status of vaccine passports

Currently, the Biden Administration has stated there will not be a requirement for Americans to carry proof of vaccination or keep a national vaccination database. However, the private sector and regional governments are allowed to enact stricter policies. Venues, stores, and travel providers are also able to require vaccination to enter the facilities. Various states such as Florida, Texas, and Idaho have discouraged state agencies and private businesses from requiring proof of vaccination to gain entry. New York recently released its voluntary statewide Excelsior Pass app. Businesses and venues can scan and validate the pass to ensure individuals meet any COVID-19 vaccination or testing requirements for entry. Along with their Pass, individuals will be asked to show a photo ID with their name and birth date for verification purposes. Adults may hold passes for accompanying minors. New York is the first state to release a vaccine passport app, but there is a good possibility that other states will follow.

Other countries have launched passport apps such as China and the United Kingdom. The apps, similar to the New York Excelsior Pass, will be used at larger events. Multiple airlines are testing out the app Travel Pass to upload vital health credentials necessary for travel between two countries. As time passes, more nations around the world and states within the US will create vaccine passport apps. Another significant challenge in creating the apps is having multiple passes to get into different places. In the beginning this may be burdensome, but organizations are working together to create a broad vaccine passport would be to pull from data sources in a uniform way which will put them into a similar format on everyone’s phones. The Vaccine Credential Initiative, which includes more than 300 organizations including Microsoft, the Mayo Clinic, Cerner, Epic, the Commons Project and more is trying to get health organizations, including major electronic medical records companies, to adopt a standard known as smart health cards. More information regarding its implementation guidelines will be released in May. The main purpose of the passports is to slow the spread of the COVID-19 virus which changed the world in many ways one year ago. Many critics feel that the passports will discriminate against people who are not willing to take the vaccine effectively forcing those people to be excluded from travel or socializing. Despite privacy concerns, the apps are voluntary and seemingly do not violate federal health privacy laws.